User Tools

Site Tools

Table of Contents

Hirte attack

Description

The Hirte attack is a client attack which can use any IP or ARP packet. It extends the Cafe Latte attack by allowing any packet to be used and not be limited to client ARP packets.

The following describes the attack in detail.

The basic idea is to generate an ARP request to be sent back to the client such that the client responds.

The attack needs either an ARP or IP packet from the client. From this, we need to generate an ARP request. The ARP request must have the target IP (client IP) at byte position 33 and the target MAC should be all zeroes. However the target MAC can really be any value in practice.

The source IP is in the packet received from the client is in a known position - position 23 for ARP or 21 for IP. ARP is assumed if the packet is 68 or 86 bytes in length plus a broadcast destination MAC address. Otherwise it is assumed to be an IP packet.

In order to send a valid ARP request back to the client, we need to move the source IP to position 33. Of course you can't simply move bytes around, that would invalidate the packet. So instead, we use the concept of packet fragmentation to achieve this. The ARP request is sent to the client as two fragments. The first fragment length is selected such that the incoming source IP is moved to position 33 when the fragments are ultimately reassembled by the client. The second fragment is the original packet received from the client.

In the case of an IP packet, a similar technique is used. However due to the more limited amount of PRGA available, there are three fragments plus the original packet used.

In all cases, bit flipping is used to ensure the CRC is correct. Additionally, bit flipping is used to ensure the source MAC of the ARP contained within the fragmented packet is not multicast.